One of the most time consuming tasks in system administration is the process of locking down desktop computers. In the Security Options node of Group Policy a bewildering assortment of settings can be found. Enabling these settings on multiple computers can be a very repetitive experience. It is easy to miss a setting and configuration errors can creep in.
A simple but effective strategy to minimize these problems is to utilize the Security Templates snap-in available in most versions of Windows. In Windows 7 the steps are as follows: type “mmc” in the Start Menu search text box. In the Start Menu “mmc.exe” will appear under the Programs link. Click on “mmc.exe” and a UAC prompt will appear. Click on the continue button and an empty MMC console will open that will have Console 1- [Console Root] in its title bar. We can customize this empty console with many snap-ins but we will only add the Security Templates snap-in. In the file menu select “Add/Remove Snap-in…” and a list of available snap-ins will appear in alphabetical order. Select the Security Templates snap-in, click the add button and click OK. The Security Templates snap-in will have a default template search path of: “C:\Users\%username%\Documents\Security\Templates”. Any templates found in that location will be displayed in the Details pane of the MMC console. Windows 7 does not have any pre-configured templates so we can create a template by right-clicking on the template search path and selecting “New Template…” . An empty template will be created that has settings for Account Policies, Local Policies, Event Log, Restricted Groups, System Service, Registry Settings, Audit Policies and just about all of the security- related settings found in a Group Policy. After the desired settings are configured the template can be saved with a unique name. The template file will have an .INF extension and can be imported directly into the Security Options node of any Group Policy or Local Policy. It is only necessary to right-click on the node, select “import template” from the context-sensitive menu and browse to the template file location. The security settings in the template file will be enabled in any Group Policy into which it is imported and can be applied to a single or to thousands of computers at once.
A security template that is customized for your environment can be consistently applied to every computer on your network saving you time and effort.